On Mon, 2008-06-30 at 17:17 -0500, McDonald, Dan wrote: > On Mon, 2008-06-30 at 22:04 +0200, mouss wrote: > > McDonald, Dan wrote: > > > On Sat, 2008-06-28 at 01:40 +0200, mouss wrote: > > > > > >> mouss wrote: > > >> > > >>>> Is there some way to grab the metadata from IPCountry to count the > > >>>> number of countries that were involved in sending a mail, and set a > > >>>> score based on that? > > >>>> > > >>> you mean catching the "Junkman traveller"? > > >>>
Ok, been fiddling with this. Here is my current rule: header __IS_LIST exists:List-Id describe __IS_LIST Is this a mailing list? header __MULTI_COUNTRY exists:X-Relay-Country-Count describe __MULTI_COUNTRY Has this message passed through two or more countries? header __LAST_RELAY_US X-Relay-Countries=~/US\b$/ describe __LAST_RELAY_US Came from our home country meta AE_RELAY_MANY !__IS_LIST && __MULTI_COUNTRY && !__LAST_RELAY_US describe AE_RELAY_MANY passed through 2 foreign countries and is not a mailing list score AE_RELAY_MANY 0.25 I also changed RelayCountry.pm to only insert the X-Relay-Country-Count header if there were two or more countries involved, mainly to allow a simple exists query rather than a regex... But I was very encouraged by my first two hits: Jul 1 08:05:03 ca amavis[1869]: (01869-04) SPAM, <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Yes, score=22.549 tag=-99 tag2=4.5 kill=6.31 tests=[ADVANCE_FEE_2=2.049, ADVANCE_FEE_3=1.435, ADVANCE_FEE_4=1.502, AE_RELAY_MANY=0.1, DATE_IN_FUTURE_06_12=3.099, DEAR_SOMETHING=2.234, FORGED_MUA_OUTLOOK=4.199, FREEMAIL_FROM=0.5, FREEMAIL_REPLYTO=2, L_P0F_Linux=-0.1, MSOE_MID_WRONG_CASE=0.699, RELAY_NG=2, SARE_FRAUD_X3=1.667, US_DOLLARS_3=1.165], autolearn=disabled Jul 1 08:13:55 ca amavis[1852]: (01852-07) SPAM, <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Yes, score=24.912 tag=-99 tag2=4.5 kill=6.31 tests=[ADVANCE_FEE_2=2.049, ADVANCE_FEE_3=1.435, ADVANCE_FEE_4=1.502, AE_RELAY_MANY=0.1, DEAR_SOMETHING=2.234, FORGED_MUA_OUTLOOK=4.199, FREEMAIL_FROM=0.5, FREEMAIL_REPLYTO=2, L_P0F_Linux=-0.1, MSOE_MID_WRONG_CASE=0.699, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CHECK=0.5, RELAY_CN=3, SARE_FRAUD_X3=1.667, SPF_SOFTFAIL=0.654, SUBJ_ALL_CAPS=1.806, URG_BIZ=0.667], autolearn=disabled -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
